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Period for Reply 
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DETAILED ACTION 

1. Claims 1, 4, 8-16, and 20-23 are pending. 

2. A request for continued examination under 37 CFR 1.114, 
including the fee set forth in 37 CFR 1.17(e), was filed in this 
application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the 
fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn 
pursuant to 37 CFR 1.114. Applicant's submission filed on 
11/16/2007 has been entered. 

Claim Rejections - 35 USC §101 

3. The rejections under 35 U.S.C. 101 have been withdrawn 
based on the filed amendment. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not 
identically disclosed or described as set forth in section 102 of this 
title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the 
invention was made. 
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5. Claims 1, 4, 10-16, 21 and 22 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Chess (US 6192512) in view of 
Chambers (US 5398196) . 

As per claims 1, 10, 11, 12, and 14, Chess discloses a 
method of detecting viral code in subject files, comprising: 
creating an artificial memory region spanning one or more 
components of the operating- system (see Fig. 2 column 4 lines 
49-51); emulating execution of at least a portion of computer 
executable code in a subject file (see column 4 lines 33-49); 
detecting an attempt by the emulated computer executable code to 
access the artificial memory region; and determining based on 
the attempt to access the artificial memory region that the 
emulated computer executable code is viral (see column 4 lines 
4 9-54) . 

Chess fails to explicitly disclose monitoring operating 
system calls by the emulated computer executable code to detect 
an attempt to access the artificial memory region. 

However, Chambers teaches such monitoring (see column 6 
line 60 through column 7 line 15) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to monitor the operating 
system calls of the Chess system. 
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Motivation to do so would have been to detect viral 
activity and report the status of all operating system requests 
performed by the program (see Chambers column 7 lines 55-60). 

As per claims 4 and 16, the modified Chess and Chambers 
system discloses emulating functionality of the identified 
operating system call while monitoring the operating system call 
to determine whether the computer executable code is viral (see 
Chess column 4 lines 33-54). 

As per claims 13 and 15, the modified Chess and Chambers 
system discloses a fourth segment comprising auxiliary code, 
wherein the auxiliary code determines an operating system call 
that the emulated computer executable code attempted to access; 
a fifth segment comprising analyzer code, wherein the analyzer 
code monitors the operating system call to determine whether the 
computer executable code is viral, while emulation continues 
(see Chess column 4 lines 33-54). 

As per claim 21, the modified Chess and Chambers system 
discloses monitoring accesses by the emulated computer 
executable code to the artificial memory region to detect 
looping; and determining based on the detection of looping that 
the emulated computer executable code is viral (see Chambers 
column 10 lines 40-58) . 
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As per claim 22, the modified Chess and Chambers system 
discloses creating an artificial memory region comprises 
creating a custom version of an export table with predetermined 
values for the entry points (see Chambers column 9 lines 14-54). 
6. Claims 8, 9, 20 and 23 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over the modified Chess and Chambers 
system as applied to claims 1 and 14 above, in view of Swift (US 
6308274) . 

As per claims 8, 9, 20 and 23, the modified Chess and 
Chambers system fails to disclose monitoring access by the 
emulated computer executable code to dynamically linked 
functions to determine viral activity. 

However, Golan teaches preventing access to dynamically 
linked functions to prevent the spread of viruses (see column 13 
lines 16-43) . 

At the time of the invention it would have been obvious. to 
a person of ordinary skill in the art to monitor accesses 
(either direct or through jump tables) to dynamically linked 
functions in the emulation system of Chess and Chambers. 

.Motivation to do so, as recognized by one of ordinary skill 
in the art, would have been that DLLs are a common way viruses 
spread . 



Application/Control Number: 09/905,532 Page 6 

Art Unit: 2137 

Response to Arguments 

7. Applicant's arguments with respect to the art applied to 
claims 8, 9, 20, and 23 have been considered but are moot in 
view of the new ground(s) of rejection. 

Applicant's arguments filed 11/16/2007 have been fully 
considered but they are not persuasive. Applicant argues 
Chambers does not disclose monitoring operating . system calls by 
the emulated computer executable code and the combination of 
Chess and Chambers is improper . 

With respect to Applicant ' s argument that Chambers does not 
disclose monitoring operating system calls by the emulated 
computer executable code, the monitor of Chambers is executed 
whenever an operating system is called to execute a program. 
This program monitors the target program (i.e. emulated computer 
executable code ) to see if it is attempting to access memory 
selected for controlled access. This memory includes operating 
system procedures and data areas with certain addresses. When 
an instruction attempts to access the memory this is logged (see 
column 7 lines 16-32 and column 8 lines 3-35). Since the 
operating system provides access to memory via system calls, 
Chambers teaches monitoring operating system calls by the 
emulated computer executable code . 
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With respect to Applicant's argument that the combination 
of Chess and Chambers is improper, Chess teaches virus detection 
by emulation and memory accesses, Chambers teaches a similar 
system with the addition feature of reporting the status of all 
operating system requests performed by the program. Therefore, 
the motivation to combine the references, as given above, is 
proper making the combination proper. 

Conclusion 

Any inquiry concerning this communication or earlier 
communications from the examiner . should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 
571-273-8300. 
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Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published • applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . If you would 
like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 
(IN USA OR CANADA) or 571-272-1000. 
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